Radically trim down winbind?

Rowland Penny repenny241155 at gmail.com
Fri Nov 4 11:50:37 UTC 2016

On Fri, 4 Nov 2016 12:44:46 +0100
Volker Lendecke <vl at samba.org> wrote:

> On Fri, Nov 04, 2016 at 10:56:37AM +0000, Rowland Penny wrote:
> > > Yes, and that purpose is just a wrong use. Even for 50 users. We
> > > have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
> > > domain\\administrator. What we could do is move the complex logic
> > > to list users into the wbinfo binary if this is such a critical
> > > feature to have under the wbinfo command. Alternatively we can
> > > provide a descriptive message to use wbinfo --ping-dc when
> > > someone types in wbinfo -u. Or turn wbinfo -u/-g into wbinfo
> > > --ping-dc if people are so used to typing wbinfo -u to test DC
> > > connectivity.
> > 
> > It is not that people are used to typing 'wbinfo -u', it is that
> > just about every 'howto create a DC' out there on the internet
> > tells you to do this ;-)
> On the DC itself the story for the locally hosted users is completely
> different. There we have access to the right credentials, we could
> even access sam.ldb if we wanted to (do we? ;-)). It is Samba as a
> member or a trusting dc that should not enumerate anything remotely.
> Volker

Oh dear, just checked this page on the wiki:


and under the heading 'Testing Winbindd user/group retrieval' there is


You first need to check that Winbindd is able to retrieve domain users and groups. On a successful setup, the following commands will print all users/groups in your domain:

# wbinfo -u

# wbinfo -g
enterprise admins
domain computers
domain admins

So, even we are doing this.


More information about the samba-technical mailing list